How to setup security/SSL on ElasticSearch?

Elastic Stack Elasticsearch
1

I am in the middle part upgrading Elastic 7 to 8 and ran into an SSL issue.

Currently SSL is disabled

curl -k https://10.152.0.5:9200 -u elastic:somepassword
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

In order to support https, I added the 3 lines of xpack.security to elasticsearch.yml

elasticsearch.yml

network.host: 0.0.0.0
discovery.type: "single-node"

xpack.security.enabled: true
xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

However, for some reasons I don't have the certs directory under /etc/elasticsearch

-rw-rw---- 1 root elasticsearch  1042 Feb  5 22:14 elasticsearch-plugins.example.yml
-rw-rw---- 1 root elasticsearch   199 Feb 26 01:17 elasticsearch.keystore
-rw-rw---- 1 root elasticsearch  2767 Feb 26 03:05 elasticsearch.yml
-rw-rw---- 1 root elasticsearch  2746 Feb  5 22:14 elasticsearch.yml.dpkg-dist
-rw-rw---- 1 root elasticsearch  3074 Feb  5 22:14 jvm.options
drwxr-s--- 2 root elasticsearch  4096 Nov  4  2021 jvm.options.d
-rw-rw---- 1 root elasticsearch 17969 Feb  5 22:14 log4j2.properties
-rw-rw---- 1 root elasticsearch   473 Nov  4  2021 role_mapping.yml
-rw-rw---- 1 root elasticsearch   197 Nov  4  2021 roles.yml
-rw-rw---- 1 root elasticsearch     0 Feb 26 01:27 users
-rw-rw---- 1 root elasticsearch     0 Feb 26 01:27 users_roles

With the added xpack settings, I cannot start elasticsearch at all.

[2025-02-26T03:12:13,234][ERROR][o.e.b.Elasticsearch      ] [elasticsearch] fatal exception while booting Elasticsearch
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.http.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/certs/http.p12] because the file does not exist
..snip..
Caused by: org.elasticsearch.common.ssl.SslConfigException: cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/certs/http.p12] because the file does not exist
..snip..

I am so confused by the SSL setup and I don't even know if I am looking at the right page.

What did I miss?

2

It sounds you're expecting Elasticsearch to auto-generate the certificates for you. That will happen on a new cluster, but is not down during upgrades (because we assume that if a cluster is being upgraded, then you already have things configured the way you want).

We also skip security auto configuration if you have explicitly set xpack.security.enabled (because in that case you have indicated that you want to configure security for yourself).

If this is a brand new cluster, just remove all of those xpack.security.* settings and you should get an auto configured setup.